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What  is  CERT? 


Center  of  Internet  security  expertise 

Established  in  1988  by  the  US  Department  of  Defense  in 
1988  on  the  heels  of  the  Morris  worm  that  created  havoc 
on  the  ARPANET,  the  precursor  to  what  is  the  Internet 
today 

Located  in  the  Software  Engineering  Institute  (SEI) 

•  Federally  Funded  Research  &  Development  Center  (FFRDC) 

•  Operated  by  Carnegie  Mellon  University  (Pittsburgh, 
Pennsylvania) 
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Overview  of  Talk 


Background 

•  Introduction 

•  Evolution  of  CERT’s  insider  threat  research 

Insider  IT  Sabotage  -  Key  Observations 

•  Case  examples 

•  Statistics 

MERIT  Models  of  Insider  IT  Sabotage 
Common  Sense  Guide  -  Best  Practices 
Future  Work 
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2006  e-Crime  Watch  Survey 


CSO  Magazine,  USSS  &  CERT 
434  respondents 


Percentage  of 
Incidents  With  no 
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Percentage  of  insiders 
versus  outsiders 
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Types  of  Insider  Crimes 

Fraud obtaining  property  or  services  from  the  organization  unjustly 
through  deception  or  trickery. 

Theft  of  Information:  stealing  confidential  or  proprietary  information 
from  the  organization. 


IT  Sabotage:  acting  with  intention  to  harm  a  specific  individual,  the 
organization,  or  the  organization’s  data,  systems,  and/or  daily 
business  operations. 
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Examples  of  Insider  Crimes 


Fraud  examples: 

-  Sale  of  confidential  information  (SSN,  credit  card  numbers,  etc...) 

-  Modification  of  critical  data  for  pay  (driver’s  license  records,  criminal 
records,  welfare  status,  etc...) 

-  Stealing  of  money  (financial  institutions,  government  organizations,  etc...) 
Theft  of  Information  examples: 

-  Theft  of  customer  information 

-  Theft  of  source  code 

-  Theft  of  organization’s  data 
Sabotage  examples: 

-  Deletion  of  information 

-  Bringing  down  systems 

-  Web  site  defacement  to  embarrass  organization 


Software  Engineering  Institute 


Carnegie  Mellon 


12 


Evolution  of  CERT  Insider  Threat  Research 

Insider  threat  case  studies 

•  U.S.  Department  Of  Defense  Personnel  Security  Research 
Center  (PERSEREC) 

•  CERT/U.S.  Secret  Service  Insider  Threat  Study 

Best  practices 

•  Carnegie  Mellon  CyLab  Common  Sense  Guide  to 
Prevention  and  Detection  of  Insider  Threats 

System  dynamics  modeling 

•  Carnegie  Mellon  CyLab  -  Management  and  Education  on 
the  Risk  of  Insider  Threat  (MERIT) 

•  PERSEREC 

—  Software  Engineering  Institute  CurnegicMellen 
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CERT/USSS  Insider  Threat  Study 

Definition  of  insider: 


Current  or  former  employees  or  contractors  who 

o  intentionally  exceeded  or  misused  an  authorized  level 
of  access  to  networks,  systems  or  data  in  a  manner 
that 

o  targeted  a  specific  individual  or  affected  the  security  of 
the  organization ’s  data,  systems  and/or  daily  business 
operations 


(  Mellon 
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Insider  Threat  Study 


•Funded  by  US  Secret  Service  (partially  by 
Department  of  Homeland  Security) 

•Examined  technical  &  psychological  aspects 

•Analyzed  actual  cases  to  develop  information  for 
prevention  &  early  detection 

•Methodology: 

•  Collected  cases  (150) 

•  Codebooks 

•  Interviews 

•  Reports 

•  Training 

—  Software  Engineering  Institute  Carnegie  Mellon 
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Insider  Threat  Study  Case  Breakdown 


Fraud 


IT  Sabotage: 

54 

Fraud: 

44 

Theft  of  IP: 

40 

116  cases  total 


Theft  of 
Information 
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Next:  The  Big  Picture 


Important  aspects  of  the  insider  threat  problem: 

•  Interaction  of  policies,  practices,  and  technology  over  time 

•  Interaction  between  psychological  &  technical  aspects  of  the 
problem 

Need  for  innovative  training  materials 
CyLab  funding: 

•  MERIT:  Management  and  Education  of  the  Risk  of  Insider  Threat 

•  Initial  Proof  of  Concept:  insider  IT  sabotage 
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Definition  of  Insider  IT  Sabotage 


Cases 


across  critical  infrastructure 
sectors 

in  which  the  insider’s  primary 
goal  was  to 

—  sabotage  some  aspect  of  an 
organization  or 

—  direct  specific  harm  toward  an 
individual(s). 
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Insider  IT  Sabotage 
Key  Observations 
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Who  Were  the  Saboteurs? 


Age:  17-60 

Gender:  mostly  males 

Variety  of  racial  &  ethnic  backgrounds 

Marital  status:  fairly  evenly  split  married  versus 
single 

Almost  1/3  had  previous  arrests 

_  Software  Engineering  Institute  CarnegicMellen 
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Observation  #1: 

Most  insiders  had  personal 
predispositions  that  contributed  to 
their  risk  of  committing  malicious 
acts. 
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Case  Example  -  Observation  #1 


A  database  administrator  wipes  out  critical  data  after  her  supervisor  and 

coworkers  undermine  her  authority. 
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Personal  Predispositions 
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Observation  #2: 

Most  insiders’  disgruntlement  is  due 
to  unmet  expectations. 
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Case  Example  -  Observation  #2 


A  network  engineer  retaliates  after  his  hope  of  recognition  and  technical 

control  are  dashed. 
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Unmet  Expectations 
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Observation  #3: 

In  most  cases ,  stressors,  including 
sanctions  and  precipitating  events, 
contributed  to  the  likelihood  of  insider 
IT  sabotage. 
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Case  Example  -  Observation  #3 


A  disgruntled  system  administrator  strikes  back  after  his  life  begins  to  fall 

apart  personally  and  professionally. 


Stressors  /Sanctions/Precipitating 
Events 
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Observation  #4: 

Behavioral  precursors  were  often 
observable  in  insider  IT  sabotage 
cases  but  ignored  by  the  organization. 
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Case  Example  -  Observation  #4 


A  “weird  tech  guy”  is  able  to  attack  following  termination  because  no  one 

recognizes  the  danger  signs. 
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Behavioral  Precursors 
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Observation  #5: 


Insiders  created  or  used  access  paths 
unknown  to  management  to  set  up 
their  attack  and  conceal  their  identity 
or  actions. 

The  majority  attacked  after 
termination. 
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Case  Example  -  Observation  #5 


The  “weird  tech  guy”  realizes  the  end  is  near  so  he  sneakily  sets  up  his 

attack. 


Software  Engineering  Institute 


Carnegie  Mellon 


34 


Created  or  used  unknown  access 
paths 
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Observation  #6: 

In  many  cases,  organizations  failed  to 
detect  technical  precursors. 
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Case  Example  -  Observation  #6 


A  logic  bomb  sits  undetected  for  6  months  before  finally  wreaking  havoc 

on  a  telecommunications  firm. 
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Technical  precursors  undetected 
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Observation  #7: 

Lack  of  physical  and  electronic  access 
controls  facilitated  IT  sabotage. 
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Case  Example  -  Observation  #7 


Emergency  services  are  forced  to  rely  on  manual  address  lookups  for 
91 1  calls  when  an  insider  sabotages  the  system. 
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Lack  of  Access  Controls 


Adequate 

Access 


Software  Engineering  Institute 


Carnegie  Mellon 


41 


MERIT  Model(s) 
Insider  IT  Sabotage 
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System  Dynamics  Approach 

A  method  and  supporting  toolset 

•  To  holistically  model,  document,  and  analyze 

•  Complex  problems  as  they  evolve  over  time 

•  And  develop  effective  mitigation  strategies 

•  That  balance  competing  concerns 

System  Dynamics  supports  simulation  to 

•  Validate  characterization  of  problem 

•  Test  out  alternate  mitigation  strategies 
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MERIT  Model  -  Extreme  Overview 
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Best  Practices 
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CyLab  Common  Sense  Guide  -  Best 
Practices 


Institute  periodic  enterprise-wide  risk 
assessments. 


Institute  periodic  security  awareness 
training  for  all  employees. 


Enforce  separation  of  duties  and  least 
privilege. 


Implement  strict  password  and  account 
management  policies  and  practices. 

Log,  monitor,  and  audit  employee  online 
actions. 


Use  extra  caution  with  system 
administrators  and  privileged  users. 


Actively  defend  against  malicious  code. 


Use  layered  defense  against  remote 
attacks. 


Monitor  and  respond  to  suspicious  or 
disruptive  behavior. 

Deactivate  computer  access  following 
termination. 


Collect  and  save  data  for  use  in 
investigations. 

Implement  secure  backup  and  recovery 
processes. 


Clearly  document  insider  threat  controls. 
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New  Starts  &  Future  Work 


New  Starts 

•  Requirements  for  insider  threat 
detection  tools 

•  CyLab  MERIT-IA  (MERIT 
InterActive) 

o  Analysis  of  current  cases 


Future  Work 

•  Self-directed  risk  assessment 

•  Best  practice  collaboration 

•  Investigative  guidelines 

•  Extension/analysis  of  MERIT 
model 

•  Insider  threat  workshops 
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Questions  /  Comments 
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Points  of  Contact 


Insider  Threat  Team  Lead: 

Dawn  M.  Cappelli 

Senior  Member  of  the  Technical  Staff 
CERT  Programs 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  412  268-9136 -Phone 
dmc@cert.org  -  Email 

Business  Development: 

Joseph  McLeod 
Business  Manager 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  412  268-6674  -  Phone 
+  1  412-291-3054 -FAX 
+1  412-478-3075 -Mobile 
jmcleod@sei.cmu.edu  -  Email 
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System  Dynamics  Modeling  Lead: 

Andrew  P.  Moore 

Senior  Member  of  the  Technical  Staff 
CERT  Programs 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-3890 
+1  412  268-5465 -Phone 
apm@cert.org  -  Email 
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